Remote Access options for Control Systems

A common client question these days is, “what is the best remote access option to connect to my control system?”

There's no single answer to this question as different sites often had unique infrastructure and connectivity challenges. With that in mind, in this article I'll review five different remote access options used in industry today.

Virtual Private Network (VPN)

When a Systems Integrator (SI) or Original Equipment Manufacturer (OEM) works with an End User who has a modern IT infrastructure, the End User will commonly have remote access via Virtual Private Network (VPN) connection available for the SI or OEM to use upon request.

In this scenario, when the SI or OEM asks for remote access, the End User's IT department sets up a VPN login with access strictly to the Ethernet control system devices the SI or OEM needs to connect to. Once setup, and the login credentials shared with the SI or OEM, they will be able to connect directly to their control system devices via the internet and VPN connection. And by connecting directly to their equipment, they can program or configure them with any software they have installed on their PC.

While typically VPNs are only an option with larger firms, it is a quick, easy, and secure means of remote access (and my preferred choice.)

Remote Desktop, Terminal Services, Citrix

Similar to the above VPN option, the Remote Desktop / Terminal Services / Citrix option differs is so far as it does not allow direct access to control system itself. Instead, the End User's IT department grants the SI or OEM an Internet login to a “remote desktop” or Terminal Server/Citrix session hosted on a server in the End User's facility.

In this scenario, since the SI or OEM is “remotely logging in” to a “remote desktop” session, all the software and licensing needed to program and configure the control system needs to be installed on the Remote Desktop / Terminal Services / Citrix server within the End User's site. This provides the End User with a much higher degree of control and security as he controls the programming environment, including permissions and software available, which the remote user will have access to after logging in.

The advantage of this remote access option is how the End User could institute restrictions on remotely connected users as needed. For instance, by changing the virtual desktop control system software permissions prior to starting a critical phase of production, they could in fact limit the remote user's ability to make any changes to the control system, essentially putting the remote user into a “monitor” only mode. Once the production phase was completed, if needed the End User could once again allow remote users the ability to make control system changes.

In contrast, when using a VPN the remote user's computer is directly connected to the control system, and the permissions on the remote user's system determines his capabilities when interfacing with control system devices the End User selects. This results in the End User being limited to allowing or disallowing the connection, but doesn't allow for controlling what can be done once connected.

Remote Access and Control software

For decades controls engineers have been using packages like “PC Anywhere” to remotely connect and control PC's. This was originally accomplished using the plain old telephone system (POTS,) but for the last decade it's been predominately done using the Internet. One advantage of this method is you only need a phone line or Internet connection and a PC stationed with the control system, and no other setup or management needed from the on-site IT department.

These days you no longer need to buy a shrink wrapped product Like “PC Anywhere” to achieve this functionality. Websites likes GoToMyPC, apps like LogMEin, and freeware like VNC, all allow for the same functionality at little or no cost.

The way these packages work starts with installing the software on the PC you wish to remotely control. You then identify the PC by giving it a unique name, and setup user accounts, passwords, and permissions to allow remote access the PC. Then on your remote device (PC, tablet, or smart phone) you install the client software used to remotely connect and log into the PC.

Like the Remote Desktop option, with Remote Control software all the licenses and software needed remotely must be installed on the PC located with the control system as you are just remotely that PC across the Internet.

Remote Access Hardware: Internet Gateway

When it's not possible or cost effective to install a remote PC with software licenses at the end user's site, and there is no It department to manage a VPN or Terminal Server, the next best thing is to install a remote access internet gateway.

These devices, like the Spectrum Controls Webport pictured on the right, act much like the GoToMyPC service but without the remotely installed PC and software licenses. You simply install he device remotely with the control system and provide an internet connection. The you login to the device, and setup users, passwords and access options.

Once configured you can remotely connect with your PC and be connected to the control system devices on the same Ethernet network as the remote access gateway.

Remote Access Hardware: Cellular Access

Similar to Remote Access Internet Gateway devices, the cellular version only requires a strong cell signal, where the internet gateway required internet access at the control system.

The down side is the need for a strong cellular signal, any antennas and antenna cables needed to get that signal, and the cost of a cellular data plan with enough data for the predicted usage.

But when you need to communicate to remote locations where no internet or phone service is available, and line of sight is prevented by the terrain, cellular remote access can be the most affordable remote access option.

Remote Access Hardware: Dial-up Access

While Remote Access via Internet Gateway or Cellular Modem rely on modern technologies, some applications will still be best served by a legacy POTS phone line, and that's where dial-up access comes in.

Having used several different “over the counter” modems I can say without a doubt that the Rockwell RADKIT's pictured to the right are by far a much better solution for A-B PLC's as they are guaranteed to work, come with all the necessary cables, and select the settings is as easy as flipping a dip switch.

The Ethernet Switch version is especially suited to today's control systems which many OEM's and SI's ship into areas where only standard phone lines are available.

I hope this article about remote access options for control systems was helpful. If you have any questions or comments please click on the “post a comment or question” link below to comment on this article.

Old Comment:

Remote Desktop ConnectionSimilar to the above VPN option, the Remote Desktop / Terminal Services / Citrix option differs is so far as it
— should be ” in so far”

Like the Remote Desktop option, with Remote Control software all the licenses and software needed remotely must be installed on the PC located with the control system as you are just remotely that PC across the Internet.
— should be “just remotely CONTROLLING that PC “

You know, I’ve seen VPN connections to overseas facilities that were nearly as fast as a local Ethernet connection, as well as some so slow that a local serial connection would be a huge improvement.

So the way I look at it is, the slower the connection, the longer the interval between updates from the PLC.

One example of this I think many of us are familiar with is connecting to a PLC via Serial vs Ethernet.

Over a serial connection, the updates are so slow that you don’t see tag / data table value changes which are only present for very short periods.

However over Ethernet you typically see most changes in tags / data table values, except for those which are present for very short periods (i.e. less than a quarter second)

That said, in either case the updates provided to your programming software are done so over many PLC Program and I/O scans, so even with Ethernet you’re seeing data read in over a period of time, and not a snapshot in time.

So in the end, if I were faced with troubleshooting over a slow connection, one solution I would use is to write a subroutine to collect the pertinent data into a tag array so I’d have an accurate log of what transpired during the event I was trying to troubleshoot.

I am interested in the Spectrum Controls Webport internet gateway for remote access at a small dairy plant. I looked on their website but didn’t see any options to buy or locate a distributor. I saw some models on Ebay which look different from the one you posted. Do you know the model number of the one you have pictured above? Thanks.

I suggest staying away from the old models you see on Ebay – they’re hard to use and obsolete.

The new Webport pictured should be available from your local Rockwell rep or distributor, but you may also want to check out the E-Won Cozy which is even EASIER to use than the Webport and last I checked doesn’t require an annual contract.

PS – If anyone from Ewon reads this, I’d love to get my hands on one of your Cozys in order to do a proper review 🙂